Is XACML supported by Restlet? If so, how is it used?
XACML is not currently supported by Restlet.
There is an open issue on the matter, but it hasn't been touched in 4 years. It's currently considered a low priority enhancement.
You do not particularly need support from Restlet itself. You can use Java XACML PEP SDKs to write the enforcement point that will filter within the Restlet apps.
Have a look at WSO2 (open source) or Axiomatics (vendor). They are the main XACML 3.0 implementations and they both have Java SDKs to implement your own PEPs including support for Restlet.
Related
I have a knotty problem (at least for me) to solve
In a nutshell:
A web server exposing a single URL (static page)
the URL should only be accessible between 9 am and 5 pm
(everyday)
the whole thing should be implemented through XACML
Questions
What actually do I need in order to accomplish my objective?
Is there any Oracle implementation of XACML which I should install? Is it by any chance free?
Could other XACML implementation be suitable? I'm refering to WSO2 Balana
Which tools should I use?
How should I start with?
Thanks a lot
You'll need:
a PEP (policy enforcement point) to intercept the request to the server. In your case you are controlling access to a web server. If you're using a Java web server e.g. Tomcat, you can implement a Servlet Filter PEP.
a PDP (policy decision point) to receive the request from the PEP and return a decision (either Permit or Deny). Oracle used to have a PDP solution called Oracle Entitlements Server (OES) but it was discontinued. Nowadays you have several options
Balana, an open-source XACML engine
AuthZForce, the latest and possibly most complete open-source XACML 3.0 PDP
Axiomatics, a commercial solution that provides you with turnkey PDP, PEP, and policy authoring (aka PAP)
a PAP (policy administration / authoring point): you need to write your policy. I typically use alfa which is easy-to-read shorthand notation for XACML.
In your case, the policy would look like the following:
policy allowOfficeHours{
apply firstApplicable
rule allowOfficeHours{
target clause current_time>"09:00:00":time and current_time<"17:00:00":time
permit
}
}
Plan of action
Start
Start with downloading the PDP of your choice. If you need free, then go to AuthZForce. You can ask and tag questions with authzforce here. Their main architect / dev is active here.
Then download the ALFA plugin for Eclipse to start writing some policies.
Finally, use AuthZForce's PEP SDK to write your own PEP. Look at Java servlet filters as an easy means to write a PEP. Check out this post and that one for tips.
I am working on a ABAC project and am using ALFA plug-in in eclipse to to write the policies and am enforcing the same through a java program. Instead of that I want to make use of the open source XACML implementations available to simulate a PDP,PAP and PEP. How to solve the issue ?
Open source XACML 3.0 implementations:
AuthzForce
WSO2 Balana
(EDIT based on David's comment:) AT&T XACML.
More info on the XACML wikipedia page.
(Heras-AF and SunXACML are XACML 2.0 only.)
My application is running on Apache 2.0 server and my java code is deployed on Tomcat 7.0. Now i am going to introduce Single sign-on concept into my application.
Does tomcat 7.0 support SAML 2.0?
If yes please clarify , compatibility-wise what is the difference between SAML 1.0 and SAML 2.0 ?
Tomcat 7.0 does not look to have native SAML support but since you don't specify particular restricions and want to introduce Single Sign On you might be interested in Apache CXF Suite (link to SSO page), in particular Fediz plugin (see architecture ).
SAML 1.x to SAML 2.x main concerns (as protocols) are that 2.x is not backwards-compatible (new and renamed XML tags, protocol and binding changes).
If you ask which version is "better" to choose fresh, I say 2.x if you need to support both you might need a kind of converting gateway/proxy (Fediz supports 1.1 tokens but I didn't use it)
To the best of my knowledge Tomcat 7 does not have a SAML SP provider implementation. You may have a look at SAML Spring Security extension o picket link (https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration)
The RESTful Web service APIs are implemented using Restlet. I need to generate the API documentation for these. Rather than starting with a separate document, I am evaluating if this can be generated from the source code annotations itself.
I looked at Swagger and enunciate. Swagger seems to be based on the JAX-RS specification. Enunciate looked a little more promising as there is an FAQ that mentions how to generate for non JAX-RS implementations but there is no help.
Are there any tools (or if the community has used any) for generating API documentation from Restlet annotations?
Has anyone integrated Restlet with enunciate for generating documentation?
Restlet now supports the ability to generate either corresponding Swagger and RAML contents based your application at runtime.
Following docs could help you:
For Swagger (extension org.restlet.ext.swagger): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/swagger
for RAML (extension org.restlet.ext.raml): see http://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/raml
You can then leverage tools from the tool community to generate your API documentation. You could consider Swagger UI that is a great tool to display online what an API provides and interact with it.
Hope it helps you,
Thierry
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I just heard about Apache Wink, and I was wondering what differences it had compared to Jersey or JBoss RESTEasy. What can be done in one that the other two can't?
We've been using Jersey for some of our internal projects mostly for it's simplicity, but I can't really figure out what makes these other two any better that I would consider switching. Does anyone have any use-cases for which niche each of these fills?
JAX-RS Implementations
Jersey
Reference Implementation
Usually the most cutting edge
Supports true asynchronous (ie web sockets etc...) connections through either Atmosphere or 2.0 version.
Has support for Spring and standard injection containers (ie #Inject).
Glassfish bundles it.
Its much more modular than the other JAX-RS projects.
It has a kick ass URI Builder
Does not necessarily require servlet container.
Grizzly support
Netty support (very early).
Swagger support
Sort of missing OAuth 2.0 . You'll have to use other libraries.
Some MVC support through Viewables
Hosted on java.net (a minus as the site is terribly slow at times).
Licensing is based on CCDL 1.1 and GPL-v2. Please make sure you check Jersey licensing before you use it for commercial use
https://jersey.github.io/license.html
RestEasy
Much of the above but most notable supports view technologies (see HTMLEasy)
It does have asynchronous connection support
Cache support
EJB support (if your into that crap)
JBoss bundles it (I think)
Netty support
Arguably the best Spring integration (MVC handler).
Early Swagger support
More security support including early OAuth 2.0 support
Apache Wink (never used it)
I have no idea why this project exists.
Supposedly its high performance focused.
It has a client built on top of HttpUrlConnection (which is a minus... it should be pluggable like Spring RestTemplate).
Basically Wink was developed in house at some enterprise companies and then given to Apache.
Requires a servlet container.
Restlet
Very powerful but very complicated
Provides some low-level REST support
Does not require a servlet container
Apache CXF
Some interesting WADL support.
Reuse and or combine JAX-RS w/ JAX-WS
Security support
Integration w/ Spring albeit kind of nasty
Supposed Autogeneration of client stubs
Other RPC-like systems
Message Queues
RabbitMQ
ActiveMQ
Asynchronous RPC
Finagle -- from Twitter.
msgpack-rpc
My humble opinion
I know the OP asked for REST but if this is for internal communication seriously consider using either a message queue or some other asynchronous RPC (Finagle) instead of traditional REST if your requirements match those systems.
If it must be classic HTTP REST (external) I would choose between either RestEasy or Jersey as a bulk of the mind share is put into those two projects.
Also see: Rest clients for Java?
When choosing the implementation to use have this in mind: if you try to deploy a Jersey web service to JBOSS 7.1, it will not work. This error will occur:
Only one JAX-RS Application Class allowed
This is because REST Easy comes bundled with JBOSS as the default JAX-RS implementation. So, JBOSS will decide that that's the implementation you want to use and will not load another JAX-RS implementation (like Jersey). In order to fix this, you need to add the following lines to your web.xml file:
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.providers</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.scan.resources</param-name>
<param-value>false</param-value>
</context-param>
Link: https://community.jboss.org/message/744530
One of my favourite Jersey extensions is Viewables. Viewables allow you to bind your data easily to a JSP page to implement a true Model-View-Controller (MVC) architecture:
http://blogs.oracle.com/sandoz/entry/mvcj
If you're going to use JBoss 7.x you must use RestEasy, 'cause it's integrated in JBoss. To use Jersey with JBoss 7.x, you have to disable RestEasy and it is complicated!